Published: June 13, 2011
Dostupno i na hrvatskom
Despite the global prevalence of Windows 7 and spreading the notion of it
being the most secure ever, good old XP will be with us for quite some
time due to antique hardware that came preinstalled with it and lacks the power
to run anything else. With proper setup it can be made just as secure, if not
even more secure than Windows 7. The major part of XP's reputation for being insecure
comes from the fact that all new users are by default given full administrative privileges. This creates a wide open door for viruses, worms, spyware and all
other kinds of malware to install freely deep into the roots of the system. On
the other side, limited user account creates impermeable barrier against
installing anything into the system, including malware. I will stop right here
and spare you of explanation why is it so, enough has been written about the
subject already. A simple explanation is here,
really detail (and unnecessary for casual users) explanation is here.
I'm not going to persuade you now to run your Windows XP in full limited mode. I know it is not easy. It requires more self-discipline than most casual users posses. Each and single system-wide change (even the most elementary one, e.g. changing the system time) would mean logging off, logging in as administrator, doing the change, logging of from administrator account, logging in as regular user...
To simplify it, Windows provide the command RunAs which can be used by a limited user to temporarily run a program with administrative privileges.
There is an alternative way that binds together the freedom of administrative privileges and the security of limited account.
If you are the only user on your computer, then you are the user with administrative privileges, as no other way is possible with only one user account. We need to create a limited user account for our course of action. In the Control Panel open User Accounts. Create a new user, give it the name limited. Create the password for the user as the command RunAs can't work without a password. For simplicity choose the password limited. It is necessary to log in at least once as the newly created user in order to create the user profile and user folders. So, click on Start -> Log Off..., choose the new user limited, enter the password limited, a short pause while the profile is created, log off immediately and log on back to your usual account.
To hit the heart of the problem we'll be protecting the web browser (Mozilla Firefox in this
case) since surfing the web is the most likely activity to result with malware
infection (the second most critical is over USB
flash drives). We will be using the command RunAs turned upside down. With
its help the administrator will run the browser as limited user.
Open the properties of the Firefox shortcut (Right-click -> Properties from the menu). In the Target field add runas /user:limited /savecred in front of the program name. Don't touch anything else. The /savecred option will remember the password for successive starts (it has no effect under XP Home). It should look like this...
Close the dialog with OK. Start the browser with the modified
shortcut. The password limited will have to be
entered just the first time (except in the case of XP Home which cannot remember
RunAs passwords). On succesive runs a console window will flash
shortly which is a handy indication that RunAs is called to run the program with
To check whether the protection works try to do something forbidden to non-administrators. Choose File -> Save Page As..., enter the file name %WINDIR%\VIRUS.EXE and click Save. You should get something like this...
The message says it all. Looks a lot like windows 7 UAC confirmation dialog with the significant benefit that whatever you choose here, you cannot infect your system. If a real virus tries to attack, it will be denied access from the very beginning and no warning will be given about it.
I personally advocate working all the time under full limited user account.
Such configuration can survive some seriously irresponsible user behaviour. And
if some malware gets through, it will infect only the user's folders, not the
whole system. A new user can be created and old (infected) deleted in a matter
Alternatively, this semi-limited mode applied only to selected critical programs provides something like 95% protection compared to fully limited account with virtually zero negative side effects.
The only inconvenience that one has to get used to can arise when something is saved from semi-limited account, say to Desktop. It will be the Desktop of the limited user, the location of which is C:\Documents and Settings\limited\Desktop. The same applies to My Documents, Downloads, etc. No problem at all, as long as you know where to look for it.
Finally, add this to your registry and you won't even know that there is another user in the system (it will log you on automatically, and will prevent the screen saver from locking you off).